Neither Conductor’s core product nor our platform store or process personal information. Conductor collects only the necessary personal data for account management, authentication, and service delivery, such as names, email addresses, and usage analytics.

Conductor offers two secure authentication methods: Username and password via our sign-in page (with two-factor authentication supported) / Single Sign-On (SSO) using a SAML-enabled identity provider for seamless and secure access.

Yes, Conductor supports SSO through SAML, allowing users to authenticate using their organization’s identity provider.

Conductor enforces strict password policies, including complexity requirements. Multi-Factor Authentication (MFA) is also supported to provide an additional layer of security against unauthorized access.

Passwords must be at least 8 characters long, include uppercase/lowercase letters, a number, and a special character, and have a history of 5 previous passwords.

Conductor maintains a mature Information Security Management System (ISMS) in accordance with ISO27001:2022. This includes Acceptable Use, Access Control, Cryptography, Incident Response, Business Continuity, and more.

No, ISMS policies are confidential / for internal use only and cannot be shared externally. However, we are happy to discuss any aspect of our Information Security and / or Compliance programs.

Customer data is encrypted at rest and in transit, securely stored in certified datacenters, and logically separated from other data. For more information, please refer to Conductor’s Security Trust Center.

Conductor employs firewalls, IDS/IPS, boundary defenses, and malware detection to protect its network and applications.

Conductor conducts regular vulnerability scans, automated security testing, and penetration tests to identify and remediate risks.

Yes, Conductor follows a structured patch management process to address vulnerabilities promptly.

Yes, Conductor performs annual third-party penetration tests on its applications and infrastructure.

A redacted version of the latest penetration testing report is available, including methodology, scope, level of effort, and vulnerability statistics (without technical details).

Conductor established a Secure Software Development Life Cycle (SDLC) with strict access controls, secure coding practices, mandatory code reviews, and SAST integration in CI/CD pipelines.

Conductor keeps test and development environments separate from production, ensuring no live data is used. PII is anonymized, and secure DevOps and CI/CD practices are followed to manage releases safely.

Conductor enforces strict access controls, requiring MFA for admin access. All access is logged, audited, and approved through a documented process, ensuring system integrity and security.

All access follows strict Role-Based Access Control (RBAC). Access is reviewed quarterly and requires approval through logged access request tickets.

Yes, all infrastructure, application, database, and security logs are collected in a centralized monitoring system (SIEM) and analyzed for anomalies.

No, logs are not shared externally due to security and confidentiality reasons.

Customer`s Data is retained based on predefined retention periods and securely deleted upon Customer`s request.

Upon request, Conductor ensures secure data erasure through logical or physical deletion methods, adhering to industry best practices.

Yes, Conductor maintains and tests a BCP / Disaster Recovery Plan annually to ensure service continuity.

Conductor's Recovery Time Objective (RTO) is 24 hours, and the Recovery Point Objective (RPO) is less than 1 hour, ensuring timely recovery and minimal data loss in the event of an incident.

Conductor conducts regular Disaster Recovery (DR) testing to ensure business continuity and system resilience. These are reviewed annually by our independent auditor as part of our ongoing ISO27001 certification. While full DR test results are considered confidential, a high-level summary of the test, including scope, methodology, and success criteria, may be shared upon request

Backups are performed regularly (intra-day), encrypted, integrity-checked, and stored in a separate location.

Conductor has a Due Diligence process for all new software, services, and vendors.

Yes, subject to legal and regulatory restrictions, new employees undergo a criminal background check before joining.

Yes, Conductor maintains a comprehensive cyber insurance policy to cover cyber risks, including data breaches, security incidents, and other cyber threats.

Certain features and functionality within Conductor’s platforms are powered by AI to provide industry-leading insights.

At Conductor, we employ and maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of our customers’ data.

Conductor's SLA for vulnerability remediation is as follows: Critical: Response Time – 4 hours / Remediation Time – 48 hours; High: Response Time – 8 hours / Remediation Time – 1 week; Medium: Response Time – 1 week / Remediation Time – 4 weeks; Low: Response Time – 2 weeks / Remediation Time – 8 weeks.

Yes, Conductor implements DMARC to ensure the authenticity of emails sent from our domain. This helps to protect our clients and employees from email-based threats such as phishing and spoofing attacks.

No. As stated in our AI Trust Policy and reiterated here, Conductor does not use your specific Customer Data to train our global AI models that are used by or benefit other Conductor customers.

Some Conductor AI features may utilize vetted third-party AI service providers. When this occurs, we ensure contractual safeguards are in place to protect your data, stipulating that your data is used solely to provide the service to you and is not used to train the third party's general models.We select providers who align with our stringent privacy and security standards.

Conductor's proprietary AI models are primarily trained on publicly available data, licensed third-party data, and aggregated, anonymized platform usage data that does not identify individual customers or their specific proprietary information.

We employ several strategies, including rigorous testing and validation of our AI models, using diverse data sets for training where appropriate, and incorporating human oversight and review processes. Many AI features are designed to assist users, who then apply their expertise. We are continuously working to improve accuracy and mitigate potential biases.

The availability of opt-out choices depends on the specific AI feature and its integration into the platform. We will provide information on any available choices within the platform or product documentation. Our aim is to offer AI features that provide clear value, and usage of many is inherently by choice.

While we strive for accuracy, AI-generated content should always be reviewed and validated by users before use or reliance, especially for critical decisions. Conductor provides AI tools to assist your efforts, and ultimate responsibility for content and strategy rests with your team. Our terms of service outline the responsibilities regarding the use of our platform.